Invalid memory read in find_emph_char

[kjk]

The simplest repro for this is: "*ca"

find_emph_char() will be called with data pointing to "ca" and c == '*'.

while (i < size) {
    while (i < size && data[i] != c
    && data[i] != '`' && data[i] != '[')
        i += 1;
    if (data[i] == c) return i;

Since there is no '*' in "ca", at this point i == size and data[i] == data[size] i.e. one byte past data. The fix is to add:

if (i >= size) return 0;

It rarely will be fatal in C due to padding inside struct buf. I found it while testing my Go port (https://github.com/kjk/go-markup/commit/122da5f0ca90120bc2840eeeffdd34413286c718) where I use slices for data and Go is unforgiving about out-of-bounds slice access.

[vmg]

Nice find. Working on a fix...

[vmg]

Sorry this took too long. Just pushed a fix, it'll be on the next minor release.